From d307fe2e0701d6a498e6a538dac4d80526deddbe Mon Sep 17 00:00:00 2001
From: Casey Brooks <casey.brooks@agyn.io>
Date: Fri, 29 May 2026 01:33:56 +0000
Subject: [PATCH 1/2] feat(ziti): add debug service state rpc

---
 .../ziti_management/v1/ziti_management.proto  | 51 +++++++++++++++++++
 1 file changed, 51 insertions(+)

diff --git a/proto/agynio/api/ziti_management/v1/ziti_management.proto b/proto/agynio/api/ziti_management/v1/ziti_management.proto
index 3d968e2..d513ada 100644
--- a/proto/agynio/api/ziti_management/v1/ziti_management.proto
+++ b/proto/agynio/api/ziti_management/v1/ziti_management.proto
@@ -59,6 +59,9 @@ service ZitiManagementService {
   // Also deletes attached config objects.
   rpc DeleteService(DeleteServiceRequest) returns (DeleteServiceResponse);
 
+  // Expose Service -> inspect OpenZiti service state for timeout diagnostics.
+  rpc DebugServiceState(DebugServiceStateRequest) returns (DebugServiceStateResponse);
+
   // Users Service -> create an OpenZiti identity for a user device with
   // roleAttributes: ["devices"] and enrollment.ott: true.
   // Returns the identity ID and enrollment JWT.
@@ -281,6 +284,54 @@ message DeleteServiceRequest {
 
 message DeleteServiceResponse {}
 
+// ===========================================================================
+// DebugServiceState
+// ===========================================================================
+
+message DebugServiceStateRequest {
+  // OpenZiti service ID, preferred when expose has persisted it.
+  string ziti_service_id = 1;
+  // OpenZiti service name fallback, e.g. "exposed-<id>".
+  string ziti_service_name = 2;
+}
+
+message DebugServiceStateResponse {
+  string ziti_service_id = 1;
+  string ziti_service_name = 2;
+  repeated string role_attributes = 3;
+  repeated DebugConfig configs = 4;
+  repeated DebugServicePolicy service_policies = 5;
+  repeated DebugTerminator terminators = 6;
+}
+
+message DebugConfig {
+  string id = 1;
+  string name = 2;
+  string config_type_id = 3;
+  string config_type_name = 4;
+  string json = 5;
+}
+
+message DebugServicePolicy {
+  string id = 1;
+  string name = 2;
+  string type = 3;
+  repeated string identity_roles = 4;
+  repeated string service_roles = 5;
+}
+
+message DebugTerminator {
+  string id = 1;
+  string identity = 2;
+  string router_id = 3;
+  string router_name = 4;
+  string precedence = 5;
+  int32 cost = 6;
+  int32 dynamic_cost = 7;
+  string binding = 8;
+  string address = 9;
+}
+
 // ===========================================================================
 // CreateDeviceIdentity
 // ===========================================================================

From 363345466a52026f8fd76a7170a7fab1768870a1 Mon Sep 17 00:00:00 2001
From: Casey Brooks <casey.brooks@agyn.io>
Date: Fri, 29 May 2026 01:53:31 +0000
Subject: [PATCH 2/2] fix(ziti): make debug service identifier explicit

---
 .../api/ziti_management/v1/ziti_management.proto       | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/proto/agynio/api/ziti_management/v1/ziti_management.proto b/proto/agynio/api/ziti_management/v1/ziti_management.proto
index d513ada..157a61d 100644
--- a/proto/agynio/api/ziti_management/v1/ziti_management.proto
+++ b/proto/agynio/api/ziti_management/v1/ziti_management.proto
@@ -289,10 +289,12 @@ message DeleteServiceResponse {}
 // ===========================================================================
 
 message DebugServiceStateRequest {
-  // OpenZiti service ID, preferred when expose has persisted it.
-  string ziti_service_id = 1;
-  // OpenZiti service name fallback, e.g. "exposed-<id>".
-  string ziti_service_name = 2;
+  oneof service_identifier {
+    // OpenZiti service ID, preferred when expose has persisted it.
+    string ziti_service_id = 1;
+    // OpenZiti service name fallback, e.g. "exposed-<id>".
+    string ziti_service_name = 2;
+  }
 }
 
 message DebugServiceStateResponse {